[cabfpub] Misissuance of certificates

Ryan Sleevi sleevi at google.com
Wed Dec 9 20:04:55 MST 2015 

On Wed, Dec 9, 2015 at 6:39 PM, Rick Andrews <Rick_Andrews at symantec.com>
wrote:

> Ryan,
>
>
>
> Yes, that’s what I mean by private (not subject to the BRs).
>
>
>
> The concerns I raised still apply... today it is common practice for
> customers to use certificates from roots trusted by browsers for private
> and/or non-browser use cases. The ballot needs an implementation date in
> the future to allow us and other CAs time to implement options for
> customers that distinguish these private/non-browser certificates, to make
> sure customers are aware of how these new rules relate to the future
> disclosure of publicly-accessible certificates, and to allow customers to
> replace their existing certificates where needed. This is why we proposed
> the interim disclosure approach, where prior to that implementation date,
> disclosure would still happen, but with the subject details redacted.
>

Rick,

A few points of clarification, to make sure I am fully understanding your
message.

When you say 'private and/or non-browser use cases', is it correct to
understand this as:
1) Certificates that have a TLS serverAuth EKU
2) Certificates that are in-scope with the Baseline Requirements
3) Certificates that comply with the stipulations set forth in the Baseline
Requirements

If you have 1, then it should be well understood that you also have 2, and
thus necessarily also have 3, but I wanted to confirm that #1 is true.

However, your reply "private, not subject to the BRs" and "from roots
trusted by browsers" seems very much incompatible, if 1 is true, and if
this is the case, then we need to resolve this understanding as soon as
possible, as such an understanding seems incompatible with a number of root
program agreements.

If you have #1, however, I have trouble understanding how it _isn't_ a
matter of public interest and trust when such a certificate is misissued,
and thus would like to try to further understand the reasoning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151209/44ce0f2a/attachment.html

More information about the Public mailing list